Bug#1031046: Request to close
Jonas Smedegaard
jonas at jones.dk
Mon Apr 14 10:15:42 BST 2025
Hi Chris,
Quoting Chris Maj via Pkg-voip-maintainers (2025-04-14 10:01:29)
> To address OP's security concerns -- there's been only 12 CVEs upstream in
> 2023/2024, owing to much improved processes, automated tests, etc. These
> continue to be patched in regular upstream releases once or twice a month.
>
> To address chief maintainer's concerns -- there's been several volunteers
> over the past year on the mailing list.
What is needed is not promises but demonstrated praxis.
We need a team that has demonstrated investing the needed skills and
time to backport *any* CVEs *at all*, before we can commit to handling
such expected rate of 12 CVEs per year.
To avoid misunderstanding: I am *not* blaming the volunteers that have
chimed in, specifically. I really don't know if they are all super
enthusiastic and super skilled and have all simply waited for me to say
"go!" in the appropriate way for us to blossom as a functional team.
Whatever the cause, the team is not yet functional, and what the
security team requested by filing this bugreport is that we *first*
demonstrate capability in handling CVEs, and only *then* re-add the
package to stable Debian.
Also, freeze is tomorrow, and it takes at a minimum 3 days for a package
to enter testing, so even if we somehow demonstrated capability today,
we would still be too late to include it.
Thanks for the interest,
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones
[x] quote me freely [ ] ask before reusing [ ] keep private
More information about the Pkg-voip-maintainers
mailing list